Description

Request expert help by submitting queries to the HeySummon platform, which routes them to registered human providers for assistance.

README (SKILL.md)

HeySummon Consumer Skill

Name: Hey summon
Author: thomasansems

When you (an AI agent) get stuck, request help from a human expert via HeySummon.

When someone requests help, the skill submits a request to the HeySummon platform. The platform matches it to a registered provider (human expert) who can assist. Users can say "Hey summon John Doe to help" or "Hey summon a Python expert to help". The skill then routes the request to the appropriate provider based on the registered providers in providers.json.

Setup

Step 1: Configure Environment

Create .env in the skill directory with your HeySummon platform details:

HEYSUMMON_BASE_URL=http://localhost:3445
HEYSUMMON_API_KEY=hs_cli_your_key_here
HEYSUMMON_NOTIFY_MODE=message
HEYSUMMON_NOTIFY_TARGET=your_chat_id

Platform Options:

Self-hosted: Use your local/server URL (e.g., http://localhost:3445)
Cloud: Use https://cloud.heysummon.ai

Get API Key:

Go to your HeySummon dashboard
Navigate to Users → Create user profile (or ask provider for client key)
Create a client key (starts with hs_cli_...)

⚠️ Security: API keys starting with hs_prov_ are provider keys (not client keys). These will be rejected.

Step 2: Register Provider(s)

bash scripts/add-provider.sh "hs_cli_your_key" "FriendlyName"

This fetches provider info from the platform and stores it locally. You can register multiple providers for routing.

List registered providers:

bash scripts/list-providers.sh

Step 3: Start Event Watcher

bash scripts/setup.sh

This starts a persistent SSE listener that connects to the platform's event stream (/api/v1/events/stream). You'll receive notifications when providers respond.

To stop:

bash scripts/teardown.sh

Architecture

HeySummon Platform API (/api/v1/events/stream)
           ↓
    SSE Event Stream
           ↓
   Platform Watcher (pm2)
           ↓
   OpenClaw Notification
           ↓
        Your Chat

All communication flows through the platform API. E2E encryption is handled server-side.

Scripts

Script	Purpose
`setup.sh`	Start the platform event watcher (pm2/nohup)
`teardown.sh`	Stop the watcher
`platform-watcher.sh`	SSE listener → sends notifications via OpenClaw
`submit-request.sh`	Submit a help request
`add-provider.sh`	Register a provider
`list-providers.sh`	List registered providers
`check-status.sh`	Check request status
`crypto.mjs`	E2E encryption: keygen, encrypt, decrypt
`auto-sync.sh`	Git auto-sync (cron job)

Usage

Submit a Help Request

To a specific provider:

bash scripts/submit-request.sh "Your question" '[{"role":"user","content":"context"}]' "ProviderName"

To default provider (from .env):

bash scripts/submit-request.sh "Your question" '[{"role":"user","content":"context"}]'

Provider routing: The script matches provider names case-insensitively from providers.json. If no match is found, it shows available providers and exits.

Wait for Response

The platform watcher handles real-time notifications:

🔑 Key exchange — provider connected
📩 New message — provider responded
🔒 Closed — conversation ended

Check Status (Fallback)

bash scripts/check-status.sh \x3CREQUEST_ID>

When to Use

Use HeySummon when you are truly stuck:

Ambiguous requirements needing clarification
Domain expertise required
Blocked by something you can't resolve autonomously

Request Statuses

Status	Meaning
`pending`	Waiting for provider to accept
`active`	Key exchange done — conversation in progress
`closed`	Closed by either party
`expired`	No response within 72 hours

Environment Variables

Variable	Default	Description
`HEYSUMMON_BASE_URL`	`http://localhost:3445`	Platform API URL
`HEYSUMMON_API_KEY`	(required)	Client API key (`hs_cli_...`)
`HEYSUMMON_NOTIFY_MODE`	`message`	Notification mode: `message` or `file`
`HEYSUMMON_NOTIFY_TARGET`	(required for message mode)	Chat ID for notifications
`HEYSUMMON_KEY_DIR`	`{skill}/.keys`	Directory for encryption keypairs
`HEYSUMMON_REQUESTS_DIR`	`{skill}/.requests`	Directory for active request tracking
`HEYSUMMON_PROVIDERS_FILE`	`{skill}/providers.json`	Provider registry file

Security

✅ API keys stored in .env (gitignored)
✅ Keypairs stored in .keys/ (gitignored)
✅ Providers stored in providers.json (gitignored)
✅ All paths relative to skill directory
✅ E2E encryption handled by platform
✅ No hardcoded credentials in code

Never commit:

.env
providers.json
.keys/ directory
.requests/ directory

Usage Guidance

This skill appears to do what it claims (send requests to HeySummon) but contains several behaviours you should review before installing: - Registry metadata omits required credentials: the scripts and SKILL.md expect HEYSUMMON_API_KEY, HEYSUMMON_NOTIFY_TARGET and path variables, but the published requirements list none. Treat that as a red flag. - The platform-watcher reads your OpenClaw gateway token from ~/.openclaw/openclaw.json and uses it to call the local OpenClaw tools endpoint. That token is sensitive and belongs to another subsystem; confirm you are comfortable granting the skill that access and prefer an explicit env var if possible. - Providers' client API keys are written to providers.json and keypairs to .keys; ensure those files are gitignored and permissioned (chmod 600/700). Note the included auto-sync.sh will run git add -A; if you run it (or cron-enable it) it can accidentally commit and push secrets if .gitignore is misconfigured — disable or remove auto-sync unless you audited the repo's ignores. - The watcher runs persistently (pm2/nohup). If you don't want long-running background processes, do not run setup.sh and instead invoke submit-request manually. Inspect platform-watcher.sh to ensure it behaves as you expect. - If you plan to install: audit .env/.gitignore, remove or disable auto-sync.sh, consider replacing the implicit home-directory token lookup with an explicit HEYSUMMON_OPENCLAW_TOKEN env var, and run the watcher in a sandbox or limited-account environment first. If you do not trust the HeySummon platform or the provider keys you're registering, do not run the skill. Overall: coherent functionality but several un-declared and sensitive local accesses — proceed only after auditing and adjusting the scripts to match your security requirements.

Capability Analysis

Type: OpenClaw Skill Name: heysummon Version: 0.1.0-beta The skill is classified as suspicious due to its use of powerful system commands and access to sensitive local resources, even though these actions are largely justified by its stated purpose. Key indicators include `platform-watcher.sh` reading the OpenClaw gateway token from `~/.openclaw/openclaw.json` (though used for local communication), `curl` calls to external endpoints with API keys, and `auto-sync.sh` performing `git add`, `git commit`, and `git push origin main`. While these are documented features, they represent significant capabilities that could be leveraged for malicious purposes if the external platform or the skill's repository were compromised, or if the `node -e` JSON parsing were vulnerable to injection.

Capability Assessment

⚠ Purpose & Capability

The skill's name/description (submit queries to HeySummon) matches the scripts' purpose (submit-request, platform watcher, provider registration). However the published registry metadata declares no required environment variables or credentials while the SKILL.md and scripts clearly require HEYSUMMON_API_KEY, HEYSUMMON_NOTIFY_TARGET, HEYSUMMON_* path variables and implicitly read an OpenClaw gateway token from the user's home (~/.openclaw/openclaw.json). The missing declared requirements are an incoherence and should have been declared in the registry metadata.

⚠ Instruction Scope

The runtime instructions and scripts do more than just call the HeySummon API: the platform-watcher reads the OpenClaw gateway token from ~/.openclaw/openclaw.json and uses it to call the local OpenClaw tools/invoke endpoint; submit-request and add-provider store client API keys in providers.json; crypto keypairs are generated and stored under .keys; platform-watcher creates a persistent SSE listener (pm2/nohup). These actions access and persist sensitive local config and create persistent processes that are not obvious from minimal description text. The watcher also fetches message bodies from the platform and will attempt to decrypt/display them — all of which are within the skill's purpose but expand the runtime access surface significantly.

ℹ Install Mechanism

There is no install spec (instruction-only), so no external downloads or archive extraction are performed by an installer. That lowers supply-chain risk. However included helper scripts (auto-sync.sh) will auto-commit and push all repo changes to origin/main if run (a non-trivial action). The skill also expects Node, curl, jq, pm2 which are standard but not declared in registry metadata. No remote binary download URLs are present.

⚠ Credentials

The skill legitimately needs a HeySummon client API key (HEYSUMMON_API_KEY) and notify-target settings, but it also reads the OpenClaw gateway token directly from the user's home directory (not declared as a required env). It stores provider client keys in providers.json and keypairs in .keys. The auto-sync script can push whatever is in the repo (potentially including misconfigured .env or providers.json) to GitHub. Requesting and reading the OpenClaw gateway token (an unrelated platform credential) is disproportionate to a simple 'submit request' description and should be explicit and optional.

⚠ Persistence & Privilege

The skill spawns a persistent background watcher (pm2 or nohup) that runs continuously and writes state to .requests, .keys, .seen-events.txt and may be auto-started by submit-request. It does not use always:true in metadata, but it does install a long-running local component and can auto-start itself. Combined with the credential access and local file writes, this persistent presence materially increases blast radius if the skill or its config are compromised.

Version History

v0.1.0-beta

HeySummon Consumer Skill v1.0.0 - Initial release of the HeySummon consumer skill. - Enables AI agents to request help from human experts via the HeySummon platform. - Supports provider registration, real-time event notifications, and secure E2E communication. - Includes utility scripts for submitting requests, managing providers, and monitoring status. - Comprehensive setup and usage instructions provided in SKILL.md.

Metadata

Slug heysummon

Version 0.1.0-beta

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Hey summon?

Request expert help by submitting queries to the HeySummon platform, which routes them to registered human providers for assistance. It is an AI Agent Skill for Claude Code / OpenClaw, with 378 downloads so far.

How do I install Hey summon?

Run "/install heysummon" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Hey summon free?

Yes, Hey summon is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Hey summon support?

Hey summon is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Hey summon?

It is built and maintained by thomasansems (@thomasansems); the current version is v0.1.0-beta.

More Skills

Hey summon